This was published 1 year ago
Opinion
Denial, complacency, anger: the stages of an Optus data breach victim
Leonie Wood
WriterThere’s a curious form of denial that takes hold when you learn a hacker, somewhere out there in cyber-spooky land, has gained access to some of the highly guarded personal identification details you grudgingly gave a telecommunications company years ago.
Surely not, you say. Not with the welter of assurances consumers are given that big companies know what they are doing, that they will not misuse data, and that they will protect it.
‘We are deeply sorry,’ a sign says outside an Optus store.Credit: Nikki Short
And then you shake yourself out of complacency and eventually concede that all those assurances were nothing more than flimsy veils. Yet another peg of faith in institutions is removed.
Along with some nine million or so other customers of Optus, my data has been exposed in an IT breach that the nation’s second-biggest telecommunications group is yet to fully explain.
To say I am pretty cranky about that is an understatement. After stupidly playing cool about it for the first week or so, I’ve taken action – and it’s been somewhat of a lesson in tidying up.
Like millions of others, I have been told via email that my name, email address, date of birth, phone number, and home address are part of a suite of details in the hands of an unknown hacker.
Initially, I was not overly concerned. So many agencies, financial institutions and retail outlets already have access to these basic personal ID details that it’s a wonder they are considered secure at all.
But that same email warned that the ID number of either my driver licence or passport has been exposed in the data breach. It did not mention my Medicare number: the risk to Medicare ID details was only publicly revealed later.
Which one of these ID documents is at risk, I couldn’t tell you because it’s been so long since I signed up to Optus that I can’t recall when or where I did, or exactly what I handed over.
Nor can I fathom any possible explanation why Optus retained all this top-level personal information of mine in its systems for, I don’t know, seven years perhaps. I’ve looked to find the requirements at law and all that did was weaken my already diminished trust in the company’s internal processes.
I guard my passport ferociously as a kind of ultimate ID, and the possibility that criminals may have those details is deeply disturbing. Not knowing if my passport has been exposed is what ultimately spurred me into action.
In the past few days, I’ve changed mobile-phone service providers, notified my bank, changed some security passwords and codes, flagged the vulnerability of my driver’s licence with VicRoads, and signed up to a class action. I also cranked up the ID security with my superannuation fund after discovering it only needed some basic details to identify me over the phone.
I’ve now advised relatives to do the same and, oddly enough, that’s yielded some good. When my adult son and I went through each step of checking security and bank details, we discovered that I’m the mysterious benefactor who’s been paying his Optus mobile phone account for years! Even he doesn’t know how long it’s been going on.
Beyond the fact of the data breach, though, what has exacerbated my concern is Optus’s staggering slow response. As a long-time customer, newspaper advertisements apologising for the breach are trite, way too late and fundamentally useless.
It was Optus’s glacial pace in providing critical details to affected customers that ultimately induced me to take my business elsewhere. I expect the drift of customers will prove an avalanche.
Two decades ago, when I covered the telecommunications sector as a business journalist, Telstra and Optus waged a relentless battle for market share. As more competition entered the market, the tussle eased.
In the past decade, their relative shares of the retail mobile market have barely moved. Telstra was reported to have about 44 per cent of mobile phone customers in 2020-21 and Optus, after years of pegging in the high 20s, laid claim to about 31 per cent.
In the wake of this data breach, though, it’s an easy bet that Optus has been haemorrhaging customers from its mobile and NBN businesses. Anecdotally, the staff at my local Telstra store were so busy dealing with disaffected Optus customers such as me, they had to cut the queue at the door.
The ramifications for Optus will be severe, and that does not bode well for its many dedicated staff. The impact, though, on customers may be long-lasting.